1
0
mirror of https://github.com/FFmpeg/FFmpeg.git synced 2024-12-23 12:43:46 +02:00

mmvideo: check horizontal coordinate too

Fixes out of array accesses.

Bug-Id: CVE-2013-3672
Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Vittorio Giovara <vittorio.giovara@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>
This commit is contained in:
Michael Niedermayer 2014-08-03 19:24:18 +01:00 committed by Anton Khirnov
parent 849b9d34c7
commit 70cd3b8e65

View File

@ -154,6 +154,8 @@ static int mm_decode_inter(MmContext * s, int half_horiz, int half_vert)
int replace_array = bytestream2_get_byte(&s->gb); int replace_array = bytestream2_get_byte(&s->gb);
for(j=0; j<8; j++) { for(j=0; j<8; j++) {
int replace = (replace_array >> (7-j)) & 1; int replace = (replace_array >> (7-j)) & 1;
if (x + half_horiz >= s->avctx->width)
return AVERROR_INVALIDDATA;
if (replace) { if (replace) {
int color = bytestream2_get_byte(&data_ptr); int color = bytestream2_get_byte(&data_ptr);
s->frame->data[0][y*s->frame->linesize[0] + x] = color; s->frame->data[0][y*s->frame->linesize[0] + x] = color;